By default every new RestApi instance replaces the single CloudWatch Role on API Gateway
See original GitHub issueWe discovered that our API Gateway cloudwatch role was being overwritten by deployments of RestApi
constructs. The CloudWatch Role is associated with the API Gateway’s Account resource. The API Gateway only supports 1 role for providing it the permissions required to write to CloudWatch so it seems strange to assume that every RestApi deployed is going to want to create that role and update the API Gateway Account automatically.
The cloudWatchRole
property of RestApiProps
should default to false.
Reproduction Steps
In an AWS account that has already setup API Gateway’s CloudWatch Role (by whatever means) run:
$ aws apigateway get-account
{
"cloudwatchRoleArn": "arn:aws:iam::NNNNNNNNN:role/apigateway.amazonaws.com",
"throttleSettings": {
"burstLimit": 1050,
"rateLimit": 2100.0
},
"features": [
"UsagePlans",
"ArbitraryUsageIdentifierKeys"
],
"apiKeyVersion": "4"
}
Note the cloudwatchRoleArn
and deploy a new stack that uses the RestApi
construct without providing a value for the cloudWatchRole
property. When you run aws apigateway get-account
again you will see that the RestApi
construct creates a new role and overwrites the role association that was previously established with API Gateway’s Account resource.
Error Log
In our case we found that when the role was replaced our existing api gateway deployments were no longer able to write to cloudwatch logs. Our workaround is to do our best to ensure that nobody creates a RestApi
construct without setting the cloudWatchRole
property to false
.
Environment
- **CLI Version :cdk version 1.31.0, aws-cli/1.16.260
- **Framework Version:1.31.0
- **OS :Mac OS
- **Language :Typescript
Other
This is 🐛 Bug Report
Issue Analytics
- State:
- Created 3 years ago
- Reactions:4
- Comments:5 (1 by maintainers)
Top GitHub Comments
You are correct, in that this is confusing behaviour. The problem is exacerbated by the fact that this property is configured on an instance of
RestApi
.Since the API has been out there for a long time and our API Gateway module is stable, we cannot change this default. It will change the behaviour on all new CDK deployments, and customers will not know that this has changed.
A better approach may be to deprecate this property, and add a new property (either in RestApi or as a separate construct) with the correct default and behaviour.
⚠️COMMENT VISIBILITY WARNING⚠️
Comments on closed issues are hard for our team to see. If you need more assistance, please either tag a team member or open a new issue that references this one. If you wish to keep having a conversation with other community members under this issue feel free to do so.